b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                 PUBLIC\n                RELEASE\n\n\n                   BUREAU OF EXPORT\n                     ADMINISTRATION\n\n     Year 2000 Preparations Are Effective,\n  But Additional Risk Mitigation Is Needed\n        Inspection Report No. OSE-12551 / December 1999\n\n\n\n\n                             Office of Systems Evaluation\n\x0c\x0cU.S. Department of Commerce                                       Inspection Report OSE-12551\nOffice of Inspector General                                                   December 1999\n\nECASS is the software application BXA uses to route, process, and control export license\napplication and enforcement investigation information and is also used by the Central\nIntelligence Agency and the Departments of Defense, Energy, State, and the Treasury . BCI is\nessentially BXA\xe2\x80\x99s local and wide-area network and supporting network infrastructure. CWCIMS\nconsists of a database that maintains declaration documents submitted by chemical producers.\nECASS and BCI support BXA\xe2\x80\x99s two core business processes: licensing and enforcement.\n\nBXA completed an agency-wide BCCP in January 1999, followed by detailed BCCPs for its\nOffice of Export Administration for core export licensing processes, and Office of Export\nEnforcement for export enforcement processes. In addition, BXA has developed a Day One\nstrategy of actions to be executed in managing the critical century rollover period from\nDecember 27, 1999, through January 7, 2000.\n\nPURPOSE AND SCOPE OF INSPECTION\n\nThe purpose of our review was to reduce the risk of business interruptions due to the Y2K\ncentury change by assessing actions taken by BXA and recommending practical risk mitigation\nand contingency planning activities that could be executed in the time remaining before the\ncentury change.\n\nOur review was focused primarily on BXA\xe2\x80\x99s BCCP and Day One plan, including the actions\ntaken and planned to prepare for the possibility that BXA may need to meet mission\nrequirements without benefit of the mission-critical systems that normally support core business\nprocesses. Our scope also included a review of independent verification and validation (IV&V)\ntesting of BXA\xe2\x80\x99s mission critical systems for Y2K readiness. Our primary focus was the ECASS\nand BCI systems because they were renovated and will be in operation at the century change.\n\nOur methodology included evaluating documentation and interviewing staff within BXA\xe2\x80\x99s Office\nof Administration, Office of the Chief Information Officer, Office of Export Administration, and\nOffice of Export Enforcement. Our evaluation criteria were derived from General Accounting\nOffice (GAO) and Office of Management and Budget guidelines written specifically for the Y2K\ncomputing crisis, research institutions, and best business practices.\n\nOur work was performed in accordance with the Inspector General Act of 1978, as amended, and\nthe Quality Standards for Inspections, March 1993, issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency.\n\nOBSERVATIONS AND CONCLUSIONS\n\nBased on the successful renovation of its ECASS and BCI systems, and the development of\nCWCIMS using Y2K compliant software, BXA reports that its mission-critical systems are Y2K\ncompliant. However, BXA needs to test its BCCP to ensure that core business functions can be\nperformed as planned in the event of a critical system failure.\n                                               2\n\x0cU.S. Department of Commerce                                         Inspection Report OSE-12551\nOffice of Inspector General                                                     December 1999\n\nI. Successful Repair and Testing of Critical Systems\n\nCWCIMS was developed with Y2K compliant software and hardware and will not become\noperational until 2000; however, ECASS and BCI needed renovation to become Y2K compliant.\nBXA renovated ECASS to use dates with 4-digit years and moved the renovated version to\nproduction in January 1998. To make BCI compliant, BXA replaced three secondary servers,\nrenovated their primary file servers, purchased and installed two new central routers for its LAN,\nmigrated telecommunication lines, and determined that all WAN routers were Y2K compliant.\nBXA initiated IV&V of ECASS, BCI, and CWCIMS in October 1998 and reported in July 1999\nthat all three mission-critical systems are Y2K compliant. Based on BXA\xe2\x80\x99s renovation, future\ndate testing, IV&V contract, and production use of the renovated ECASS and BCI, it is\nreasonable to expect that ECASS and BCI will continue to function after December 31, 1999.\n\nII. BCCP Needs to be Tested\n\nBXA developed a thorough BCCP identifying contingencies for performing core business\nprocesses in the event that critical systems are not available. However, the agency has not tested\nthe BCCP to validate its contingency plans. Contingency plans are based primarily on alternative\nmanual processes. BCCP activities will be managed and executed by a Management Oversight\nTeam and a BXA Y2K Response Team. BXA has defined roles and assigned responsibilities.\nThreats, risks, and vulnerabilities are addressed for each mission-critical BXA system and for\nnon-mission-critical systems. \xe2\x80\x9cTriggers\xe2\x80\x9d for activating contingency plans and minimum\nacceptable levels of outputs and services during potential Y2K system failures have been\nidentified. BXA also developed detailed contingency plans for Export Enforcement\n(enforcement process) and Export Administration (licensing process), and a Day One plan.\n\nEven though agencies such as BXA have undertaken significant efforts to make their systems\nY2K compliant, there remains a risk that one or more mission-critical systems will fail and\nseverely affect the agency\xe2\x80\x99s ability to deliver critical services. The Department requested all\nbureaus to follow GAO\xe2\x80\x99s BCCP guidance, which instructs agencies to develop potential Y2K\nfailure scenarios and \xe2\x80\x9cassume the loss of all mission-critical information systems due to post-\nimplementation failures or delays in renovation or testing.\xe2\x80\x9d The BCCP and Day One plan are\nintended to reduce the risk that a Y2K failure will result in a business process failure. However,\nthe BCCP needs to be tested to validate that contingency plans will satisfy the agency\xe2\x80\x99s needs.\nTesting contingency plans, a major component of GAO\xe2\x80\x99s BCCP guidance, was not addressed in\nBXA\xe2\x80\x99s BCCP. The plan does not document that any BCCP tests or plans for the Response\nTeam to rehearse the Day One plan have been conducted or are scheduled.\n\nThe objective of BCCP testing is to evaluate whether contingencies provide the desired level of\nservice to customers and can be implemented within a specified time. To prepare for BCCP\ntesting, BXA must define the necessary test conditions, tasks, and standards that are required to\nvalidate that contingency service levels and implementation schedules are attainable. Rehearsals\nshould include the following elements:\n                                                 3\n\x0cU.S. Department of Commerce                                        Inspection Report OSE-12551\nOffice of Inspector General                                                    December 1999\n\nl      Test conditions - Assume that ECASS is non-operational due to Y2K, and therefore, the\n       Offices of Export Administration and Export Enforcement must function for the first\n       week of the new year in a fully manual, paper-based mode of operation.\nl      Test tasks - Implement manual processing for license applications. This should include\n       (a) processing applications submitted electronically, (b) checking 5 to 10 years of\n       historical records, (c) screening by the Treasury, and (d) referring applications to the\n       Departments of State, Defense, Energy, and the Central Intelligence Agency. BXA\n       should also rehearse the Day One plan with the Response Team.\nl      Standards - Set levels of outputs and services and establish priorities. For example,\n       expedite emergency treatment to those cases that affect public safety and health.\nThese \xe2\x80\x9ctests\xe2\x80\x9d of the BCCP should consist of rehearsals where members of the Response Team\nand other necessary staff would walk through the steps of the plan as though a trigger for\ncontingency actions had been activated. The results of these tests should be used to update and\nimprove the BCCP and Day One plans, as appropriate.\n\nBXA explained in our exit conference that it did not plan to test the BCCP because alternative\ncore business processing methods were employed within the last several years during furloughs.\nHowever, during the furloughs, systems were not disabled as they may be entering Y2K.\nInstead, there was a shortage of people to operate the systems. BXA officials also explained that\nonly export licenses submitted in paper format were processed during furloughs; however,\napproximately 60 percent of BXA\xe2\x80\x99s license applications are now submitted electronically.\n\nRECOMMENDATION\n\nTo ensure the continuity of core business processes in the event of system failures associated\nwith the turn of the century, we recommend that the Under Secretary for Export Administration\nvalidate the business continuity and contingency plans by conducting BCCP tests and rehearsing\nthe Day One plan with the Response Team.\n\n       Synopsis of BXA\xe2\x80\x99s Response\n\n       BXA reiterated the comments made at the December 13, 1999 exit conference, and did\n       not address the dissimilarities between previous furloughs and potential future Y2K\n       disruptions. BXA cites prior experience in processing export licenses and enforcement\n       actions manually. In 1996, federal employees were furloughed three times and BXA\n       reverted to the manual processing of license applications. BXA contends that the current\n       detailed BCCPs are based on BXA\xe2\x80\x99s 1996 experiences, so BXA, in effect, has already\n       tested the BCCP on three occasions, and each time it worked.\n\n       BXA believes it would have taken longer than the few remaining work days in 1999 to set\n       up the evaluation process outlined in our recommendation and run the test. BXA also\n\n                                                4\n\x0cU.S. Department of Commerce                                         Inspection Report OSE-12551\nOffice of Inspector General                                                     December 1999\n\n       believes that any marginal gains from testing and updating the plan would not justify the\n       resources that would be required.\n\n       OIG Discussion\n\n       We reaffirm our recommendation. We do not agree with the BXA view that operational\n       activities in 1996 were analogous to a test of a plan which did not exist until 1999. Also,\n       BXA does not specifically address our recommendation to rehearse the BXA Day One\n       plan for a truly unique, one-time event, which has never been rehearsed.\n\n       The BXA BCCP should have been tested and the Day One plan should have been\n       rehearsed. This could have and should have been initiated by December 13, 1999. On\n       that date, sufficient time was available to complete testing by December 27, 1999. In\n       addition, BXA did not need our recommendation in order to conduct the tests and\n       rehearsal. The August 1998 GAO guidelines identify testing as the final phase of business\n       continuity and contingency planning\xe2\x80\x99s four phases and are sufficient reason for testing\n       the BCCP. GAO\xe2\x80\x99s October 1999 guidance for Day One planning states that Day One\n       plans and their key processes should be rehearsed.\n\nBXA\xe2\x80\x99s full response is included as Appendix A.\n\n\n\n\n                                                5\n\x0c\x0cU.S. Department of Commerce                                      Inspection Report OSE-12551\nOffice of Inspector General                                                  December 1999\n\n\n\n                                     Appendix B\n                              Acronyms Used in This Report\n\n               BCCP           Business Continuity and Contingency Plan\n\n               BCI            BXA Communications Infrastructure\n\n               BXA            Bureau of Export Administration\n\n               CWCIMS         Chemical Weapons Convention Information Management System\n\n               ECASS          Export Control Automated Support System\n\n               GAO            General Accounting Office\n\n               IV&V           Independent Verification and Validation\n\n               Y2K            Year 2000\n\x0c'